A Five-Year Journey: How Trend Micro Helped Bring Down Scan4You

Trend Micro has always had a close relationship with law enforcement around the globe, because we believe that only together can we make the world a safer place in which to exchange digital information. As the business of cybercrime continues to grow and evolve, so must our response. That’s why we were delighted to be able to help the FBI in a five-year, trans-national case which has seen two suspects brought to trial and the end the of notorious Counter AV (CAV) service Scan4You.

As detailed in our new report, the case highlights not only the strength of Trend Micro’s intelligence gathering and investigative support, but the often arduous nature of cybercrime policing.

A long and winding road

CAV services are a key part of the global cybercrime industry, allowing would-be attackers to test the effectiveness of their malware without the risk of being detected. Without them, attacks would not be nearly so successful. Scan4You was one of the most prolific out there, having gained the hard-won trust of countless black hats. But Trend Micro researchers had other ideas.

Back in 2012, while researching a private exploit kit called g01pack, we spotted some unusual activity. Just minutes before the exploits were used in the wild, somebody using IP addresses in Latvia checked whether Trend Micro’s web reputation system already blocked the URLs hosting the exploits. On closer inspection we noticed those IP addresses were not only checking g01pack’s exploit URLs but many others. We had just found Scan4You, an underground service which let cybercriminals check their latest malware against over 35 commercial AV engines.

Over the next five years we charted the rise of the service, sharing evidence with the FBI in 2014 which ultimately helped lead investigators to arrest and bring to trial two suspects. During that time, we found that site administrators ‘Borland’ and ‘Garrik’ had ties to numerous other cybercrime activities. These included Eva Pharmacy, one of the oldest operations around using spam and SEO tactics to sell prescription drugs, as well as campaigns using banking trojans and the sale of stolen credit card details.

The fight goes on

Boland and Garrik were arrested last year as part of an international policing operation, after which time we noticed all Scan4You scanning activity stopped. Even better, we’ve not seen a sizeable spike in users of rival CAV services such as VirusCheckMate, so it looks like the investigation has had a real impact on the cybercrime underground.

This is why Trend Micro has always worked closely with law enforcement. Protecting our customers is vital, but it’s also important to try and effect change by disrupting cybercrime itself. Since 2013, our 20 partnerships with the likes of the FBI, Interpol, Europol, the UK’s National Crime Agency (NCA) and more have certainly worked hard to do just that. In fact, a Scan4You reseller was recently sentenced to two years behind bars after a joint investigation between the NCA and Trend Micro.

It has been rewarding to see that Trend Micro’s cooperation with intelligence investigators helped to bring the Scan4You suspects to trial: it’s testament to the broad base of world-leading in-house skills and capabilities we have amassed over the past 30 years. Cybercrime is usually portrayed on TV or in the movies in a rather stereotyped, high-octane “good versus evil” battle. The truth, as we’ve seen, is rather more mundane, and cases take much longer than 90 minutes to crack.

So, let’s celebrate this success, but steel ourselves for more hard work to come. With close co-operation like this, police and security vendors like ourselves can make life increasingly uncomfortable for the bad guys. They’ve had it easy for far too long. So let’s take the fight to them as we continue on our mission to secure the connected world.